Incorporating contextual integrity into privacy decision making: a risk based approach.

Abstract

This work sought to create a privacy assessment framework that would encompass legal, policy and contextual considerations to provide a practical decision support tool or prototype for determining privacy risks, thereby integrating the privacy decision-making function into organisational decision-making by default. This was achieved by way of a meta-model from which two separate privacy assessment frameworks were derived, each represented as a stand-alone prototype spreadsheet tool for privacy assessment before being amalgamated into the main contribution of this work, the PACT (PrivACy Throughout) framework, also presented as a prototype spreadsheet. Thus, this work makes four contributions. First, a meta-model of Contextual Integrity (CI) (Nissenbaum 2010) is presented, where CI has been broken down into its component parts to provide an easy to interpret visual representation of CI. Second, a practical privacy decision support framework for assessing data suitability for publication as open data, the ContextuaL Integrity For Open Data (CLIFOD) questionnaire is presented. Third, the scope of the framework is expanded upon to include other industry sectors or domains. To this end, a data protection impact assessment (DPIA), the DPIA Data Wheel, is exhibited that integrates the provisions brought in by the General Data Protection Regulation (GDPR) with CI and a revised version of CLIFOD. This framework is applied and evaluated in the charity sector to demonstrate the applicability of the concepts derived in CLIFOD to any domain where data is processed or shared. Finally, this work culminates with the main contribution of this work, one overarching framework, PrivACy Throughout (PACT). PACT is a privacy decision framework for assessing privacy risks throughout the data lifecycle. It has been derived and underpinned by existing theory though the amalgamation of CLIFOD and the DPIA Data Wheel and extended upon to include a privacy lifecycle plan (PLAN) for managing the data throughout its data life cycle. PACT, incorporates context (using CI), with contemporary legislation, in particular, the General Data Protection Regu- lation (GDPR), to facilitate consistent and repeatable privacy risk assessment from both the perspective of the data subject and the organisation, thereby supporting organisational decision making around privacy risk for both existing and new projects, systems, data and processes.